The Strangler Fig pattern is an incremental modernization approach that wraps legacy systems with new interfaces and gradually shifts traffic away from the old core. It reduces migration risk by allowing validation and rollback at each step while business operations continue.
Expanded Definition
The Strangler Fig pattern is a modernization method that incrementally replaces a legacy system by placing a new interface layer in front of it, then routing discrete functions to the new environment over time. In NHI and IAM programs, that usually means preserving existing service accounts, API keys, and integrations long enough to keep operations stable while new control planes take over.
It is not the same as a simple rewrite or a one-time cutover. The pattern is intentionally transitional: traffic is split, monitored, and reduced on the legacy side only after the replacement path proves reliable. That makes it especially useful where authentication, authorization, and secret dependencies are deeply embedded in business workflows. The approach aligns well with the risk management intent of the NIST Cybersecurity Framework 2.0, but definitions vary across vendors on how much of the old system must remain in place before a project qualifies as a true Strangler Fig implementation.
The most common misapplication is treating a proxy or API gateway as the full pattern, which occurs when teams add a front door but never build a governed plan to retire legacy identity paths.
Examples and Use Cases
Implementing the Strangler Fig pattern rigorously often introduces temporary duplication, requiring organisations to weigh faster delivery and lower migration risk against short-term operational complexity.
- Replacing a legacy payroll platform by moving authentication and API calls to a new service while the old back end continues serving untouched functions.
- Modernizing a service account estate by wrapping old applications with a new secrets broker, then rotating credentials incrementally as each dependency is validated. The Ultimate Guide to NHIs is useful for understanding why phased credential retirement matters.
- Shifting customer-facing traffic from a monolith to microservices one endpoint at a time, using rollback controls when identity or authorization behaviour changes.
- Federating an old internal app behind a new identity layer so that access policies can be enforced centrally before the legacy login is decommissioned.
- Applying the pattern to CI/CD pipelines by moving secret retrieval from hard-coded config toward managed vault workflows, reducing exposure while preserving delivery speed.
In practice, this pattern is most valuable where the dependency map is incomplete and the business cannot tolerate a hard stop, which is common in environments with fragile service-to-service authentication or undocumented secrets sprawl.
Why It Matters in NHI Security
Strangler Fig is not just an application architecture choice. It is a governance strategy for shrinking NHI risk without breaking production. Legacy systems often contain the exact weaknesses highlighted by NHIMG research, including the fact that 96% of organisations store secrets outside of secrets managers and 97% of NHIs carry excessive privileges in practice. A phased modernization program gives teams time to inventory service accounts, introduce rotation, and remove standing access instead of carrying insecure credentials into the next platform generation.
This is where the pattern connects directly to identity resilience and Zero Trust. The goal is not simply to move traffic, but to force each migrated dependency to prove it can operate with bounded privilege, observable authentication, and revocation paths. That operational discipline aligns with guidance in the Ultimate Guide to NHIs and the control logic behind NIST Cybersecurity Framework 2.0.
Organisations typically encounter the full value of the Strangler Fig pattern only after a breach, failed migration, or emergency decommission exposes how much privileged access was still tied to the legacy core.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Incremental migration helps expose and retire hidden NHI paths and legacy dependencies. |
| NIST CSF 2.0 | PR.AC-1 | The pattern changes how access is governed during transition, supporting least-privilege access. |
| NIST Zero Trust (SP 800-207) | JSON null | Strangler-style migration supports Zero Trust by progressively constraining implicit trust in old systems. |
Map each migrated path, then remove legacy service accounts and secrets as new controls prove stable.
Related resources from NHI Mgmt Group
- What is the difference between pattern matching and AI-native classification for sensitive data?
- What breaks when organisations use one Azure identity pattern for every workload?
- Why do standing NHI credentials remain such a high-risk pattern?
- Why do voice and contact-centre workflows need a different identity pattern from normal SSO?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
